Fedora Account System
Red Hat Associate
Red Hat Customer
The above URL was linked from the latest RISKS digest at: http://catless.ncl.ac.uk/Risks/28.11.html#subj3 Steps: 1) Create a new, empty, profile with "firefox -ProfileManager -no-remote" and start it. 2) Visit the above URL 3) Wait. Maybe scroll around a bit. Click or drag on the images. Alt-Tab away to another window and back. Basically pointless random activity. I've no idea whether that speeds up the crash or not, which generally happens within a minute or so, but it makes me feel better while waiting. Versions: firefox-31.0-1.fc20.x86_64 libdrm-2.4.54-1.fc20.x86_64 mesa-dri-drivers-10.1.5-1.20140607.fc20.x86_64 My graphics card reports as: kernel: nouveau [ DEVICE][0000:0f:00.0] Chipset: G72 (NV46) [ 34.152] (--) NOUVEAU(0): Chipset: "NVIDIA NV46" 0f:00.0 0300: 10de:01d3 (rev a1) (prog-if 00 [VGA controller]) Subsystem: 1458:3470 0f:00.0 VGA compatible controller: NVIDIA Corporation G72 [GeForce 7200 GS / 7300 SE] (rev a1) (prog-if 00 [VGA controller]) Subsystem: Gigabyte Technology Co., Ltd Device 3470 One of the crashes I saw involved the mesa dri driver, however I suspect that might be a red herring and the problem is actually in the JS JIT smashing memory. Backtraces to follow...
First backtrace: (gdb) bt #0 PatchJump (label=..., jump=...) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/x64/Assembler-x64.h:716 #1 js::jit::JitRuntime::patchIonBackedges (this=<optimized out>, rt=<optimized out>, target=target@entry=js::jit::JitRuntime::BackedgeLoopHeader) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/Ion.cpp:412 #2 0x00007fbd5fbb0190 in InterruptCheck (cx=0x7fbd6158c980) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/VMFunctions.cpp:523 #3 js::jit::CheckOverRecursedWithExtra (cx=0x7fbd6158c980, frame=<optimized out>, extra=<optimized out>, earlyCheck=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/jit/VMFunctions.cpp:177 #4 0x00007fbd616555aa in ?? () #5 0x00007fff7b40f2f8 in ?? () #6 0x00007fff7b40f2a0 in ?? () #7 0x00007fbd61247120 in DebugPrologueInfo () from /usr/lib64/firefox/libxul.so #8 0x00007fbd53634940 in ?? () #9 0x00007fbd3941a2a9 in ?? () #10 0x0000000000000881 in ?? () #11 0x00007fff7b40f300 in ?? () #12 0x0000000000000000 in ?? () (gdb) info reg rax 0x7fbd29cdfa3a 140450426911290 rbx 0x7fbd26156c00 140450364484608 rcx 0xfffffffffffffe4f -433 rdx 0xfffffffffffffe4f -433 rsi 0x7fbd29cdf889 140450426910857 rdi 0x7fbd29cdff18 140450426912536 rbp 0x7fbd6154cd38 0x7fbd6154cd38 rsp 0x7fff7b40f230 0x7fff7b40f230 r8 0x7fbd37dc40c0 140450662727872 r9 0x0 0 r10 0x7fff7b40f2c0 140735261242048 r11 0x7fbd55833130 140451160207664 r12 0x1 1 r13 0x7fff7b40fb30 140735261244208 r14 0x203 515 r15 0x7fbd6158c980 140451358755200 rip 0x7fbd5fadb533 0x7fbd5fadb533 <js::jit::JitRuntime::patchIonBackedges(JSRuntime*, js::jit::JitRuntime::BackedgeTarget)+211> eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) print $_siginfo $1 = {si_signo = 11, si_errno = 0, si_code = 2, _sifields = {_pad = {701364790, 32701, 36171664, 0, -1611239392, 32657, -1598469472, 32657, 7, 1, 37341680, 0, 0, 0, 6063689, 0, 20087808, 0, 12289888, 48, 4080, 0, 0, 0, 0, 0, 0, 0}, _kill = {si_pid = 701364790, si_uid = 32701}, _timer = {si_tid = 701364790, si_overrun = 32701, si_sigval = {sival_int = 36171664, sival_ptr = 0x227ef90}}, _rt = { si_pid = 701364790, si_uid = 32701, si_sigval = {sival_int = 36171664, sival_ptr = 0x227ef90}}, _sigchld = {si_pid = 701364790, si_uid = 32701, si_status = 36171664, si_utime = -6920220494666924032, si_stime = -6865374105894355055}, _sigfault = {si_addr = 0x7fbd29cdfa36}, _sigpoll = {si_band = 140450426911286, si_fd = 36171664}}}
Second backtrace, in the nouveau dri driver. As can be seen, the entire nv30_context structure looks completely smashed with 'Z' bytes. (gdb) bt #0 nouveau_fence_next (screen=screen@entry=0x5a5a5a5a5a5a5a5a) at nouveau_fence.c:226 #1 0x00007fb7aff72dd4 in nv30_context_kick_notify (push=0x7fb7cd268e20) at nv30/nv30_context.c:47 #2 0x00007fb7afa0544c in pushbuf_submit (push=push@entry=0x7fb7cd268e20, chan=<optimized out>, chan=<optimized out>) at pushbuf.c:325 #3 0x00007fb7afa056fe in pushbuf_flush (push=push@entry=0x7fb7cd268e20) at pushbuf.c:402 #4 0x00007fb7afa061e0 in nouveau_pushbuf_kick (push=push@entry=0x7fb7cd268e20, chan=<optimized out>) at pushbuf.c:774 #5 0x00007fb7aff72f13 in PUSH_KICK (push=0x7fb7cd268e20) at ./nouveau_winsys.h:56 #6 nv30_context_flush (pipe=0x7fb7b9cc5000, fence=<optimized out>, flags=<optimized out>) at nv30/nv30_context.c:81 #7 0x00007fb7afd6f014 in st_glFlush (ctx=<optimized out>) at state_tracker/st_cb_flush.c:121 #8 0x00007fb7afc78baa in _mesa_make_current (newCtx=newCtx@entry=0x0, drawBuffer=drawBuffer@entry=0x0, readBuffer=readBuffer@entry=0x0) at main/context.c:1503 #9 0x00007fb7afd95ea3 in st_api_make_current (stapi=<optimized out>, stctxi=0x0, stdrawi=0x0, streadi=0x0) at state_tracker/st_manager.c:746 #10 0x00007fb7aff5abef in dri_unbind_context (cPriv=<optimized out>) at dri_context.c:215 #11 0x00007fb7afc5660d in driUnbindContext (pcp=0x7fb7a2a2d340) at dri_util.c:578 #12 0x000000300601c60d in MakeContextCurrent (dpy=0x7fb7dc4db000, draw=0, read=0, gc_user=0x0) at glxcurrent.c:245 #13 0x00007fb7d98c6dfe in mozilla::gl::GLContextGLX::~GLContextGLX (this=0x7fb79e75f800, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/gfx/gl/GLContextProviderGLX.cpp:836 #14 0x00007fb7d98c6e57 in mozilla::gl::GLContextGLX::~GLContextGLX (this=0x7fb79e75f800, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/gfx/gl/GLContextProviderGLX.cpp:845 #15 0x00007fb7da0772a6 in assign_with_AddRef (rawPtr=0x0, this=0x7fb79fd98c80) at ../../../dist/include/nsAutoPtr.h:866 #16 operator= (rhs=0x0, this=0x7fb79fd98c80) at ../../../dist/include/nsAutoPtr.h:964 #17 mozilla::WebGLContext::DestroyResourcesAndContext (this=this@entry=0x7fb79fd98c00) at /usr/src/debug/firefox-31.0/mozilla-release/content/canvas/src/WebGLContext.cpp:284 #18 0x00007fb7da077302 in mozilla::WebGLContext::~WebGLContext (this=0x7fb79fd98c00, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/content/canvas/src/WebGLContext.cpp:203 #19 0x00007fb7da07483d in mozilla::WebGL1Context::~WebGL1Context (this=0x7fb79fd98c00, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/content/canvas/src/WebGL1Context.cpp:25 #20 0x00007fb7d9455f42 in SnowWhiteKiller::~SnowWhiteKiller (this=0x7fff0ccff1a0, __in_chrg=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/base/nsCycleCollector.cpp:2403 #21 0x00007fb7d9456006 in nsCycleCollector::FreeSnowWhite (this=0x7fb7d1c8e000, aUntilNoSWInPurpleBuffer=aUntilNoSWInPurpleBuffer@entry=false) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/base/nsCycleCollector.cpp:2568 #22 0x00007fb7d9456669 in nsCycleCollector_doDeferredDeletion () at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/base/nsCycleCollector.cpp:3846 #23 0x00007fb7d9d82377 in AsyncFreeSnowWhite::Run (this=0x7fb7d06bf7a0) at /usr/src/debug/firefox-31.0/mozilla-release/js/xpconnect/src/XPCJSRuntime.cpp:211 #24 0x00007fb7d9486811 in nsThread::ProcessNextEvent (this=0x7fb7dc4e9b60, mayWait=<optimized out>, result=0x7fff0ccff2c7) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/threads/nsThread.cpp:715 #25 0x00007fb7d944020f in NS_ProcessNextEvent (thread=<optimized out>, mayWait=mayWait@entry=false) at /usr/src/debug/firefox-31.0/mozilla-release/xpcom/glue/nsThreadUtils.cpp:263 #26 0x00007fb7d963bb1b in mozilla::ipc::MessagePump::Run (this=0x7fb7d1c35700, aDelegate=0x7fb7dc47e500) at /usr/src/debug/firefox-31.0/mozilla-release/ipc/glue/MessagePump.cpp:95 #27 0x00007fb7d962c57b in RunHandler (this=0x7fb7dc47e500) at /usr/src/debug/firefox-31.0/mozilla-release/ipc/chromium/src/base/message_loop.cc:222 #28 MessageLoop::Run (this=0x7fb7dc47e500) at /usr/src/debug/firefox-31.0/mozilla-release/ipc/chromium/src/base/message_loop.cc:196 #29 0x00007fb7d9d3f9cb in nsBaseAppShell::Run (this=0x7fb7cd65e080) at /usr/src/debug/firefox-31.0/mozilla-release/widget/xpwidgets/nsBaseAppShell.cpp:164 #30 0x00007fb7da69292a in nsAppStartup::Run (this=0x7fb7cd6600b0) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/components/startup/nsAppStartup.cpp:278 #31 0x00007fb7da662a04 in XREMain::XRE_mainRun (this=this@entry=0x7fff0ccff580) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/xre/nsAppRunner.cpp:4019 #32 0x00007fb7da662ca2 in XREMain::XRE_main (this=this@entry=0x7fff0ccff580, argc=argc@entry=3, argv=argv@entry=0x7fff0cd00a88, aAppData=aAppData@entry=0x7fff0ccff780) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/xre/nsAppRunner.cpp:4088 #33 0x00007fb7da662f04 in XRE_main (argc=3, argv=0x7fff0cd00a88, aAppData=0x7fff0ccff780, aFlags=<optimized out>) at /usr/src/debug/firefox-31.0/mozilla-release/toolkit/xre/nsAppRunner.cpp:4300 #34 0x000000000040408d in do_main (argc=argc@entry=3, argv=argv@entry=0x7fff0cd00a88, xreDirectory=0x7fb7dc4386c0) at /usr/src/debug/firefox-31.0/mozilla-release/browser/app/nsBrowserApp.cpp:282 #35 0x000000000040382f in main (argc=3, argv=0x7fff0cd00a88) at /usr/src/debug/firefox-31.0/mozilla-release/browser/app/nsBrowserApp.cpp:643 (gdb) print $_siginfo $1 = {si_signo = 11, si_errno = 0, si_code = 128, _sifields = {_pad = {0, 0, 185973016, 0, 190245328, 0, 190953880, 0, 7, 1, 186547040, 0, 0, 0, 6063689, 0, 51078144, 0, 12289888, 48, 4080, 0, 0, 0, 0, 0, 0, 0}, _kill = {si_pid = 0, si_uid = 0}, _timer = {si_tid = 0, si_overrun = 0, si_sigval = {sival_int = 185973016, sival_ptr = 0xb15b918}}, _rt = {si_pid = 0, si_uid = 0, si_sigval = { sival_int = 185973016, sival_ptr = 0xb15b918}}, _sigchld = {si_pid = 0, si_uid = 0, si_status = 185973016, si_utime = 817097461976793088, si_stime = 820140669644308480}, _sigfault = {si_addr = 0x0}, _sigpoll = {si_band = 0, si_fd = 185973016}}} (gdb) info reg rax 0x7fb7ab476308 140426829325064 rbx 0x5a5a5a5a5a5a5a5a 6510615555426900570 rcx 0x0 0 rdx 0x7fb7c07acf60 140427185016672 rsi 0x80000001 2147483649 rdi 0x5a5a5a5a5a5a5a5a 6510615555426900570 rbp 0x5a5a5a5a5a5a5b4a 0x5a5a5a5a5a5a5b4a rsp 0x7fff0ccfede0 0x7fff0ccfede0 r8 0x30062687e0 206261618656 r9 0x0 0 r10 0x7fb7dc5490d0 140427652272336 r11 0x7fb7dc5494c8 140427652273352 r12 0x7fb7cd268d70 140427397598576 r13 0x5a5a5a5a5a5a5a5a 6510615555426900570 r14 0x7fb7cd268e20 140427397598752 r15 0x3006268400 206261617664 rip 0x7fb7aff69f10 0x7fb7aff69f10 <nouveau_fence_next+16> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) list 221 } 222 223 void 224 nouveau_fence_next(struct nouveau_screen *screen) 225 { 226 if (screen->fence.current->state < NOUVEAU_FENCE_STATE_EMITTING) 227 nouveau_fence_emit(screen->fence.current); 228 229 nouveau_fence_ref(NULL, &screen->fence.current); 230 (gdb) disas Dump of assembler code for function nouveau_fence_next: 0x00007fb7aff69f00 <+0>: push rbp 0x00007fb7aff69f01 <+1>: push rbx 0x00007fb7aff69f02 <+2>: mov rbx,rdi 0x00007fb7aff69f05 <+5>: lea rbp,[rbx+0xf0] 0x00007fb7aff69f0c <+12>: sub rsp,0x8 => 0x00007fb7aff69f10 <+16>: mov rdi,QWORD PTR [rdi+0xf0] 0x00007fb7aff69f17 <+23>: mov eax,DWORD PTR [rdi+0x10] 0x00007fb7aff69f1a <+26>: test eax,eax 0x00007fb7aff69f1c <+28>: jle 0x7fb7aff69f50 <nouveau_fence_next+80> 0x00007fb7aff69f1e <+30>: sub DWORD PTR [rdi+0x14],0x1 (gdb) up #1 0x00007fb7aff72dd4 in nv30_context_kick_notify (push=0x7fb7cd268e20) at nv30/nv30_context.c:47 47 nouveau_fence_next(screen); (gdb) list nv30_context_kick_notify 36 static void 37 nv30_context_kick_notify(struct nouveau_pushbuf *push) 38 { 39 struct nouveau_screen *screen; 40 struct nv30_context *nv30; 41 42 if (!push->user_priv) 43 return; 44 nv30 = container_of(push->user_priv, nv30, bufctx); 45 screen = &nv30->screen->base; 46 47 nouveau_fence_next(screen); 48 nouveau_fence_update(screen, TRUE); (gdb) print push.user_priv $9 = (void *) 0x7fb7ab476308 (gdb) print &((struct nv30_context*)0x7fb7ab476000).bufctx $14 = (struct nouveau_bufctx **) 0x7fb7ab476308 (gdb) print *(struct nv30_context*)0x7fb7ab476000 $13 = {base = {pipe = {screen = 0x5a5a5a5a5a5a5a5a, priv = 0x5a5a5a5a5a5a5a5a, draw = 0x5a5a5a5a5a5a5a5a, destroy = 0x5a5a5a5a5a5a5a5a, draw_vbo = 0x5a5a5a5a5a5a5a5a, render_condition = 0x5a5a5a5a5a5a5a5a, create_query = 0x5a5a5a5a5a5a5a5a, destroy_query = 0x5a5a5a5a5a5a5a5a, begin_query = 0x5a5a5a5a5a5a5a5a, end_query = 0x5a5a5a5a5a5a5a5a, get_query_result = 0x5a5a5a5a5a5a5a5a, create_blend_state = 0x5a5a5a5a5a5a5a5a, bind_blend_state = 0x5a5a5a5a5a5a5a5a, delete_blend_state = 0x5a5a5a5a5a5a5a5a, create_sampler_state = 0x5a5a5a5a5a5a5a5a, bind_sampler_states = 0x5a5a5a5a5a5a5a5a, delete_sampler_state = 0x5a5a5a5a5a5a5a5a, create_rasterizer_state = 0x5a5a5a5a5a5a5a5a, bind_rasterizer_state = 0x5a5a5a5a5a5a5a5a, delete_rasterizer_state = 0x5a5a5a5a5a5a5a5a, create_depth_stencil_alpha_state = 0x5a5a5a5a5a5a5a5a, bind_depth_stencil_alpha_state = 0x5a5a5a5a5a5a5a5a, delete_depth_stencil_alpha_state = 0x5a5a5a5a5a5a5a5a, create_fs_state = 0x5a5a5a5a5a5a5a5a, bind_fs_state = 0x5a5a5a5a5a5a5a5a, delete_fs_state = 0x5a5a5a5a5a5a5a5a, create_vs_state = 0x5a5a5a5a5a5a5a5a, bind_vs_state = 0x5a5a5a5a5a5a5a5a, delete_vs_state = 0x5a5a5a5a5a5a5a5a, create_gs_state = 0x5a5a5a5a5a5a5a5a, bind_gs_state = 0x5a5a5a5a5a5a5a5a, delete_gs_state = 0x5a5a5a5a5a5a5a5a, create_vertex_elements_state = 0x5a5a5a5a5a5a5a5a, bind_vertex_elements_state = 0x5a5a5a5a5a5a5a5a, delete_vertex_elements_state = 0x5a5a5a5a5a5a5a5a, set_blend_color = 0x5a5a5a5a5a5a5a5a, set_stencil_ref = 0x5a5a5a5a5a5a5a5a, set_sample_mask = 0x5a5a5a5a5a5a5a5a, set_clip_state = 0x5a5a5a5a5a5a5a5a, set_constant_buffer = 0x5a5a5a5a5a5a5a5a, set_framebuffer_state = 0x5a5a5a5a5a5a5a5a, set_polygon_stipple = 0x5a5a5a5a5a5a5a5a, set_scissor_states = 0x5a5a5a5a5a5a5a5a, set_viewport_states = 0x5a5a5a5a5a5a5a5a, set_sampler_views = 0x5a5a5a5a5a5a5a5a, set_shader_resources = 0x5a5a5a5a5a5a5a5a, set_vertex_buffers = 0x5a5a5a5a5a5a5a5a, set_index_buffer = 0x5a5a5a5a5a5a5a5a, create_stream_output_target = 0x5a5a5a5a5a5a5a5a, stream_output_target_destroy = 0x5a5a5a5a5a5a5a5a, set_stream_output_targets = 0x5a5a5a5a5a5a5a5a, resource_copy_region = 0x5a5a5a5a5a5a5a5a, blit = 0x5a5a5a5a5a5a5a5a, clear = 0x5a5a5a5a5a5a5a5a, clear_render_target = 0x5a5a5a5a5a5a5a5a, clear_depth_stencil = 0x5a5a5a5a5a5a5a5a, flush = 0x5a5a5a5a5a5a5a5a, create_sampler_view = 0x5a5a5a5a5a5a5a5a, sampler_view_destroy = 0x5a5a5a5a5a5a5a5a, create_surface = 0x5a5a5a5a5a5a5a5a, surface_destroy = 0x5a5a5a5a5a5a5a5a, transfer_map = 0x5a5a5a5a5a5a5a5a, transfer_flush_region = 0x5a5a5a5a5a5a5a5a, transfer_unmap = 0x5a5a5a5a5a5a5a5a, transfer_inline_write = 0x5a5a5a5a5a5a5a5a, texture_barrier = 0x5a5a5a5a5a5a5a5a, create_video_codec = 0x5a5a5a5a5a5a5a5a, create_video_buffer = 0x5a5a5a5a5a5a5a5a, create_compute_state = 0x5a5a5a5a5a5a5a5a, bind_compute_state = 0x5a5a5a5a5a5a5a5a, delete_compute_state = 0x5a5a5a5a5a5a5a5a, set_compute_resources = 0x5a5a5a5a5a5a5a5a, set_global_binding = 0x5a5a5a5a5a5a5a5a, launch_grid = 0x5a5a5a5a5a5a5a5a, get_sample_position = 0x5a5a5a5a5a5a5a5a, flush_resource = 0x5a5a5a5a5a5a5a5a}, screen = 0x5a5a5a5a5a5a5a5a, client = 0x5a5a5a5a5a5a5a5a, pushbuf = 0x5a5a5a5a5a5a5a5a, vbo_dirty = 90 'Z', cb_dirty = 90 'Z', copy_data = 0x5a5a5a5a5a5a5a5a, push_data = 0x5a5a5a5a5a5a5a5a, push_cb = 0x5a5a5a5a5a5a5a5a, invalidate_resource_storage = 0x5a5a5a5a5a5a5a5a, scratch = {map = 0x5a5a5a5a5a5a5a5a <error: Cannot access memory at address 0x5a5a5a5a5a5a5a5a>, id = 1515870810, wrap = 1515870810, offset = 1515870810, end = 1515870810, bo = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a}, current = 0x5a5a5a5a5a5a5a5a, runout = 0x5a5a5a5a5a5a5a5a, nr_runout = 1515870810, bo_size = 1515870810}, stats = {buf_cache_count = 1515870810, buf_cache_frame = 1515870810}}, screen = 0x5a5a5a5a5a5a5a5a, blitter = 0x5a5a5a5a5a5a5a5a, bufctx = 0x5a5a5a5a5a5a5a5a, state = {rt_enable = 1515870810, scissor_off = 1515870810, num_vtxelts = 1515870810, prim_restart = 90 'Z', fragprog = 0x5a5a5a5a5a5a5a5a}, dirty = 1515870810, draw = 0x5a5a5a5a5a5a5a5a, draw_flags = 1515870810, draw_dirty = 1515870810, blend = 0x5a5a5a5a5a5a5a5a, rast = 0x5a5a5a5a5a5a5a5a, zsa = 0x5a5a5a5a5a5a5a5a, vertex = 0x5a5a5a5a5a5a5a5a, config = { filter = 1515870810, aniso = 1515870810}, vertprog = {program = 0x5a5a5a5a5a5a5a5a, constbuf = 0x5a5a5a5a5a5a5a5a, constbuf_nr = 1515870810, textures = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, num_textures = 1515870810, samplers = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, num_samplers = 1515870810, dirty_samplers = 1515870810}, fragprog = {program = 0x5a5a5a5a5a5a5a5a, constbuf = 0x5a5a5a5a5a5a5a5a, constbuf_nr = 1515870810, textures = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, num_textures = 1515870810, samplers = {0x5a5a5a5a5a5a5a5a <repeats 16 times>}, num_samplers = 1515870810, dirty_samplers = 1515870810}, framebuffer = {width = 1515870810, height = 1515870810, nr_cbufs = 1515870810, cbufs = {0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a, 0x5a5a5a5a5a5a5a5a}, zsbuf = 0x5a5a5a5a5a5a5a5a}, blend_colour = {color = {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}}, stencil_ref = {ref_value = "ZZ"}, stipple = {stipple = {1515870810 <repeats 32 times>}}, scissor = {minx = 23130, miny = 23130, maxx = 23130, maxy = 23130}, viewport = {scale = {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, translate = {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}}, clip = {ucp = {{ 1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, { 1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, { 1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}, {1.53652219e+16, 1.53652219e+16, 1.53652219e+16, 1.53652219e+16}}}, sample_mask = 1515870810, vtxbuf = {{stride = 1515870810, buffer_offset = 1515870810, buffer = 0x5a5a5a5a5a5a5a5a, user_buffer = 0x5a5a5a5a5a5a5a5a} <repeats 32 times>}, num_vtxbufs = 1515870810, idxbuf = {index_size = 1515870810, offset = 1515870810, buffer = 0x5a5a5a5a5a5a5a5a, user_buffer = 0x5a5a5a5a5a5a5a5a}, vbo_fifo = 1515870810, vbo_user = 1515870810, vbo_min_index = 1515870810, vbo_max_index = 1515870810, vbo_push_hint = 90 'Z', blit_vp = 0x5a5a5a5a5a5a5a5a, blit_fp = 0x5a5a5a5a5a5a5a5a, is_nv4x = 1515870810, use_nv4x = 1515870810, hw_pointsprite_control = 90, render_mode = (unknown: 1515870810), render_cond_query = 0x5a5a5a5a5a5a5a5a, render_cond_mode = 1515870810, render_cond_cond = 90 'Z'} /proc/<pid>/maps: 7fb7afa02000-7fb7afa08000 r-xp 00000000 08:02 29191777 /usr/lib64/libdrm_nouveau.so.2.0.0 7fb7afc09000-7fb7b01d5000 r-xp 00000000 08:02 25854025 /usr/lib64/dri/nouveau_dri.so
Third crash. I think this is attempting to execute some previously compiled JS, but apparently the target routine has no access permissions. (Whether that is because it didn't set it, or has removed it because that routine has been retired and shouldn't have been called any more, I can't say.) Note that immediately before the target routine (the address at which we fault) is something that is obviously a pointer, then filled with 0x3b ';' bytes. It is that fill pattern that makes me suspect that the above nouveau crash had in fact been caused by the JS JIT mangling that area of memory. The map containing the target routine is not mapped from a file (executable, shared library), which is what you'd expect from jitted code, and has no access permissions. (But is immediately followed by one that looks the same, but does have rwx permissions.) (gdb) bt #0 0x00007f6b19418768 in ?? () #1 0x00007f6b2152ad78 in ?? () #2 0x0000000000000202 in ?? () #3 0x00007f6b11114200 in ?? () #4 0x0000000000000001 in ?? () #5 0xfffbff6b11114180 in ?? () #6 0xfff880000000005a in ?? () #7 0x00007fffe15cd4b8 in ?? () #8 0x00007f6b0567ad88 in ?? () #9 0x00007f6b1eb58333 in ?? () #10 0x0000000000000701 in ?? () #11 0xfff880000000005a in ?? () #12 0xfffbff6b11114180 in ?? () #13 0xfffbff6b11114200 in ?? () #14 0xfff9000000000000 in ?? () #15 0xfffaff6b2f100ec0 in ?? () #16 0x00007fffe15cd410 in ?? () #17 0x00007f6b1bc9f600 in ?? () #18 0x00007f6a00000070 in ?? () #19 0x00007f6b111216a0 in ?? () #20 0x00007f6b3b9c46d9 in js::TypeOfObjectOperation (obj=<optimized out>, rt=0xfffbff6b11114200) at /usr/src/debug/firefox-31.0/mozilla-release/js/src/vm/Interpreter-inl.h:460 #21 0x00007f6b19449473 in ?? () #22 0x0000000000000000 in ?? () (gdb) print $_siginfo $1 = {si_signo = 11, si_errno = 0, si_code = 2, _sifields = {_pad = {423724904, 32619, 43724584, 0, 375668768, 32543, 375887720, 32543, 7, 1, 43789248, 0, 0, 0, 6063689, 0, 29172736, 0, 12289888, 48, 4080, 0, 0, 0, 0, 0, 0, 0}, _kill = {si_pid = 423724904, si_uid = 32619}, _timer = {si_tid = 423724904, si_overrun = 32619, si_sigval = {sival_int = 43724584, sival_ptr = 0x29b2f28}}, _rt = { si_pid = 423724904, si_uid = 32619, si_sigval = {sival_int = 43724584, sival_ptr = 0x29b2f28}}, _sigchld = {si_pid = 423724904, si_uid = 32619, si_status = 43724584, si_utime = 1613485072688611328, si_stime = 1614425464368037663}, _sigfault = {si_addr = 0x7f6b19418768}, _sigpoll = {si_band = 140097961953128, si_fd = 43724584}}} (gdb) info reg rax 0x7f6b19418768 140097961953128 rbx 0xfffbff6b11114200 -1126539570626048 rcx 0x7fffe15cd4b8 140736974345400 rdx 0x202 514 rsi 0x7fffe15cd468 140736974345320 rdi 0x7f6b0567ad88 140097628908936 rbp 0x7fffe15cd430 0x7fffe15cd430 rsp 0x7fffe15cd400 0x7fffe15cd400 r8 0x0 0 r9 0x7fffe15cd1e0 140736974344672 r10 0x37 55 r11 0x701 1793 r12 0x0 0 r13 0x7fffe15cd968 140736974346600 r14 0x1 1 r15 0x0 0 rip 0x7f6b19418768 0x7f6b19418768 eflags 0x10246 [ PF ZF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) disass 0x00007f6b2152ad58,0x00007f6b2152ad98 Dump of assembler code from 0x7f6b2152ad58 to 0x7f6b2152ad98: 0x00007f6b2152ad58: add BYTE PTR [rax-0x3f],cl 0x00007f6b2152ad5b: loope 0x7f6b2152ad62 0x00007f6b2152ad5d: push rcx 0x00007f6b2152ad5e: movabs r11,0x7f6b31333e10 0x00007f6b2152ad68: mov rcx,QWORD PTR [r11] 0x00007f6b2152ad6b: add rcx,QWORD PTR [rsp] 0x00007f6b2152ad6f: add rsp,0x8 0x00007f6b2152ad73: mov DWORD PTR [rcx+0x18],edx 0x00007f6b2152ad76: call rax 0x00007f6b2152ad78: pop r11 0x00007f6b2152ad7a: shr r11,0x4 0x00007f6b2152ad7e: add rsp,r11 0x00007f6b2152ad81: pop rbp (gdb) x/64gx 0x00007f6b19418700 0x7f6b19418700: 0x3b3b3b3b3b3b3b3b 0x3b3b3b3b3b3b3b3b 0x7f6b19418710: 0x3b3b3b3b3b3b3b3b 0x3b3b3b3b3b3b3b3b 0x7f6b19418720: 0x3b3b3b3b3b3b3b3b 0x3b3b3b3b3b3b3b3b 0x7f6b19418730: 0x3b3b3b3b3b3b3b3b 0x3b3b3b3b3b3b3b3b 0x7f6b19418740: 0x3b3b3b3b3b3b3b3b 0x3b3b3b3b3b3b3b3b 0x7f6b19418750: 0x3b3b3b3b3b3b3b3b 0x3b3b3b3b3b3b3b3b 0x7f6b19418760: 0x00007f6afe2cbb50 0xe8c1482024448b48 0x7f6b19418770: 0x0f0001fff7f8812f 0x5c8b4c0000026985 0x7f6b19418780: 0xffffffffb8482024 0x48d8214c00007fff 0x7f6b19418790: 0x102468bb4908408b 0xd8394c00007f6b11 (gdb) disass 0x00007f6b19418768,0x00007f6b19418790 Dump of assembler code from 0x7f6b19418768 to 0x7f6b19418790: => 0x00007f6b19418768: mov rax,QWORD PTR [rsp+0x20] 0x00007f6b1941876d: shr rax,0x2f 0x00007f6b19418771: cmp eax,0x1fff7 0x00007f6b19418777: jne 0x7f6b194189e6 0x00007f6b1941877d: mov r11,QWORD PTR [rsp+0x20] 0x00007f6b19418782: movabs rax,0x7fffffffffff 0x00007f6b1941878c: and rax,r11 0x00007f6b1941878f: mov rax,QWORD PTR [rax+0x8] /proc/<pid>/maps: 7f6b1940d000-7f6b1941d000 ---p 00000000 00:00 0 7f6b1941d000-7f6b1942d000 rwxp 00000000 00:00 0
Further note: when running under gdb, I can sometimes see a lot of SIGSEGV happening. Sometimes, when continued and left to it's own devices, firefox will continue running happily with no visible sign of any problem. Sometimes it exits to the crash reporter.
Hmm. When I first clicked the link and for a while after it would crash pretty quickly. Now, not so much. It still does, but several page refreshes might be required. (This suggests that it's something in the dynamically inserted content causing the problem, perhaps one of the banners, which changes each page load.) Running firefox with MOZ_CRASHREPORTER_DISABLE=1 set so I don't have to run it under gdb to get the backtrace shows that of 5 crashes, *all* have an identical backtrace to comment 2, in the nouveau/dri driver. And the nv30_context structure is almost always full of 0x5a 'Z' bytes, but on just one of them is full of zeroes instead. These bytes appear to start usually somewhat before the start of the structure, and carry on for well after the structure ends. Usually a bit more than a page worth before it looks like something else starts appearing over the top of them. So I'm changing my mind: the other JS-related SEGVs are likely just how the JIT works (I can think of several things it could be doing by setting pages as no-access then using the signal handler to fix them up later). These are never a problem and never cause an actual firefox crash. The real crashes are always caused by something nouveau/mesa/WebGL related.
The 0x5a signature usually means that the memory is already freed by free() and filed with this pattern for debugging purpose. So I think it's really a bug in noveau.
Only want to point to another bug report at Launchpad: https://bugs.launchpad.net/ubuntu/+source/mesa/+bug/1364522 At least the second backtrace seems equal to that one in comment 2, which should be fixable by a little patch "nv30: avoid dangling references to deleted contexts" in the nouveau driver (in mesa 10.2.2).
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.